From: Harris, Joe F (Joe_Harris@xxxxxxxxxxxx)
Date: Sat Dec 01 2001 - 14:20:27 GMT-3
Hi Scott,
I do not know why my routers allowed me to perfom this without erasing the
configuration. I kinda thought it might have just been a fluke, so I
performed the same process on 4 other of my 2600 series routers and each
time I got the same result, yet when you tried it it blew the configuation
away. This puzzles me...and so I will gather up some more routers and
investigate.
About the enable password thing, notice later in the output after it asks me
to reset the router back to the factory defaults it prompted me (for
whatever reason, which I have not been able to figure out yet) and asked if
I wanted to to run the "no service password-recovery" command, Although the
router has not even finished booting yet and I never had the opportunity to
enter the command. If you answer "no" to the question then the command is
not entered into the configuration and after the router finishes loading you
can simply power-cycle the router back down and perform the widely available
password recovery procedure.
-Joe
-----Original Message-----
From: Scott Morris
To: 'Harris, Joe F'; 'Basel Tashkandi '
Cc: ccielab@groupstudy.com
Sent: 12/1/01 10:39 AM
Subject: RE: OT: Disabling of Password Recovery Is Cracked, Without Loosin
g Co nfig....
For some reason then, it appears to have not erased your
configuration...
If you have to enter the enable password (you knew yours), but didn't
know
it (hence the idea of password recovery), would you not be equally
screwed?
:)
I'm not sure why yours did what it did, but I assure you the couple
times I
have had to do this, it did indeed kill the configuration.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Harris, Joe F
Sent: Saturday, December 01, 2001 8:00 AM
To: 'Basel Tashkandi '; Harris, Joe F
Cc: ''ccielab@groupstudy.com' '
Subject: RE: OT: Disabling of Password Recovery Is Cracked, Without
Loosin g Co nfig....
I have to enter the enable mode password, which in my case was set to
cisco
for testing.
-Joe
-----Original Message-----
From: Basel Tashkandi
To: Harris, Joe F
Cc: 'ccielab@groupstudy.com'
Sent: 12/1/01 2:51 AM
Subject: Re: OT: Disabling of Password Recovery Is Cracked, Without
Loosing
Co nfig....
Hi Joe,
When you wanted to go into the enable mode did you enter the password or
it
just let you in?
thanks
At 23:04 30/11/2001 -0600, Harris, Joe F wrote:
>All,
>
>I sent an eariler email stating that if you issued the "no service
>password-recovery" command that the only way to I had found to bypass
the
>command was to replace the bootrom. I was informed that the Scott
Morris had
>posted an earlier email showing another process that could be used to
bypass
>the command but you would loose your configuration. I took what he
stated
>and tryed a few things a little different and found a way around the
command
>so that if you issue the "no service password-recovery" command you can
>totally bypass the effects of the command and keep your config. Please
note
>that I have successfully done this today on the 2600 series platform
only. I
>am posting below the entire screen capture of the commands needed to
bypass
>the effects of the command. Every piece of software is always written
with a
>hook (CISSP information) and Cisco IOS is no different.
>
>Router-1#
>Router-1#
>Router-1#term leng 0
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#config t
>Enter configuration commands, one per line. End with CNTL/Z.
>Router-1(config)#no service password-recovery
>WARNING:
>Executing this command will disable password recovery mechanism.
>Do not execute this command without another plan for
>password recovery.
>
>Are you sure you want to continue? [yes/no]: yes
>Router-1(config)#end
>Router-1#
>00:04:00: %SYS-5-CONFIG_I: Configured from console by console
>Router-1#wr mem
>Building configuration...
>[OK]
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>no service password-recovery
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#reload
>Proceed with reload? [confirm]
>
>00:05:00: %SYS-5-RELOAD: Reload requested
>System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>Copyright (c) 1999 by cisco Systems, Inc.
>TAC:Home:SW:IOS:Specials for info
>C2600 platform with 49152 Kbytes of main memory
>
>PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>program load complete, entry point: 0x80008000, size: 0x928024
>Self decompressing the image :
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>#######################################################################
#####
>########################################################## [OK]
>!Do Not issue the break sequence here!!!!
>
> Restricted Rights Legend
>
>Use, duplication, or disclosure by the Government is
>subject to restrictions as set forth in subparagraph
>(c) of the Commercial Computer Software - Restricted
>Rights clause at FAR sec. 52.227-19 and subparagraph
>(c) (1) (ii) of the Rights in Technical Data and Computer
>Software clause at DFARS sec. 252.227-7013.
>
> cisco Systems, Inc.
> 170 West Tasman Drive
> San Jose, California 95134-1706
>
>
>
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
>SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>Image text-base: 0x80008088, data-base: 0x8107A5D0
>!
>!Issue Break Sequence Here
>!
>
>PASSWORD RECOVERY IS DISABLED.
>Do you want to reset the router to factory default
>configuration and proceed [y/n] ?
>!Answer this question with a "y", the question mark cannot be deleted
>
>Reset router configuration to factory default.
>
>
>Compliance with U.S. Export Laws and Regulations - Encryption
>
>This product performs encryption and is regulated for export
>by the U.S. Government.
>
>This product is not authorized for use by persons located
>outside the United States and Canada that do not have prior
>approval from Cisco Systems, Inc. or the U.S. Government.
>
>This product may not be exported outside the U.S. and Canada
>either by physical or electronic means without PRIOR approval
>of Cisco Systems, Inc. or the U.S. Government.
>
>Persons outside the U.S. and Canada may not re-export, resell,
>or transfer this product by either physical or electronic means
>without prior approval of Cisco Systems, Inc. or the U.S.
>Government.
>
>cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes
of
>memory.
>Processor board ID JAD042206GN (1804004596)
>M860 processor: part number 0, mask 49
>Bridging software.
>X.25 software, Version 3.0.0.
>SuperLAT software (copyright 1990 by Meridian Technology Corp).
>TN3270 Emulation software.
>1 FastEthernet/IEEE 802.3 interface(s)
>1 Serial network interface(s)
>32K bytes of non-volatile configuration memory.
>16384K bytes of processor board System flash (Read/Write)
>
>!Now for some reason (I have not figured it out yet) the router acts as
>!though you just issued the command again and gives you a chance to
>!reverse the command
>
>WARNING:
>Executing this command will disable password recovery mechanism.
>Do not execute this command without another plan for
>password recovery.
>
>Are you sure you want to continue? [yes/no]: no
>!As you can see I answered no to the question
>
>
>Press RETURN to get started!
>
>Passed
>00:00:36: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to
up
>00:00:36: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
>00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0,
>changed state to down
>00:00:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0,
changed
>state to down
>00:00:48: %SYS-5-CONFIG_I: Configured from memory by console
>00:00:48: %SYS-5-RESTART: System restarted --
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C260Translating "Router-1"
>
>Router-1>0-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>00:00:49: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to
up
>00:00:49: %LINK-5-CHANGED: Interface Serial0/0, changed state to
>administratively down
>00:00:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0,
>changed state to up
>Router-1>en
>Password:
>00:00:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0,
>changed state to down
>!
>!My config is still there
>!
>Router-1#sh ru
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname Router-1
>!
>enable secret 5 $1$sCnF$E51c1b/cHBjLYLw.zcboU1
>!
>!
>!
>!
>!
>ip subnet-zero
>ip tcp synwait-time 15
>no ip domain-lookup
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>!
>!
>end
>
>Router-1#
>Router-1#
>Router-1#
>Router-1#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE
>SOFTWARE (fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Tue 07-Dec-99 07:11 by phanguye
>Image text-base: 0x80008088, data-base: 0x8107A5D0
>
>ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
>Router-1 uptime is 1 minute
>System returned to ROM by reload
>System image file is "flash:c2600-jo3s56i-mz.120-7.T.bin"
>
>cisco 2620 (MPC860) processor (revision 0x102) with 39936K/9216K bytes
of
>memory.
>Processor board ID JAD042206GN (1804004596)
>M860 processor: part number 0, mask 49
>Bridging software.
>X.25 software, Version 3.0.0.
>SuperLAT software (copyright 1990 by Meridian Technology Corp).
>TN3270 Emulation software.
>1 FastEthernet/IEEE 802.3 interface(s)
>1 Serial network interface(s)
>32K bytes of non-volatile configuration memory.
>16384K bytes of processor board System flash (Read/Write)
>
>Configuration register is 0x2102
>
>Router-1#
>
>
>-Joe Harris
>CCIE# 6200
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:35 GMT-3